directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <>
Subject Re: Questionning some parts of the configuration
Date Thu, 11 Jun 2009 17:31:33 GMT
A few more things at the end of this mail ...

Emmanuel Lecharny wrote:
> Hi guys,
> as I'm trying to figure out a DiT based configuration for ADS, I'm now 
> questioning some choice that have been made long ago. I think we can 
> simplify the configuration a bit.
> Let's start with some preliminary comments.
> - the base for all the storage is a DirectoryService. This is the 
> heart of our system.
> - we have built a lot of servers on top of it, like Kerberos, DHCP, 
> DNS, ChangePW and LDAP. Those servers rely on the DirectoryService
> - we have one unique server, NTP, which is standalone - ie, it does 
> not need any DirectoryService -.
> - the Ldap server is a bit special, as it is not named LdapServer, as 
> we would expect when we have a look at the other servers, but 
> ApacheDS, and it points to 2 LdapService (which in turn associate a 
> DirectoryService with a transport)
> - a Transport is a protocol layer defining the host, port, protocol 
> and some other network related parameters. Each server has at least 
> one transport.
> Ok, so far, we are lost now :)
> I would suggest we clean up a bit all of this.
> 1) ApacheDS is a condensed name for ApacheDirectoryServer. It's a 
> server. we will keep the two services (Ldap and Ldaps), even if we 
> should treat them as transport, not service.
> 2) All the other servers (NTP, DHCP, Kerberos, DNS) are a combinaison 
> of one or more transport and an optional DirectoryService, if needed.
> 3) We will define only one DirectoryService for LDAP. We may want 2 
> DirectoryServices, one for LDAP and another one for LDAPS. But this is 
> not what we have in ApacheDS atm (looking at the code, the 
> DirectoryService is define 3 times : in ApacheDS and in both 
> LdapService).
> 4) The consequence is that some flags like AllowAnonymousAccess is now 
> useless in ApacheDS, as it's already present in the LdapService 
> instances.
> 5) The SyncOnWrite flag is define in a Service class, instanciated in 
> ApacheDS. That's most certainly not what we want, as it defines a 
> worker thread in charge of calling directoryService.synch() 
> periodically. This thread is specific to ApacheDS, and won't be 
> available to someone who want to use a DirectoryService as a server 
> backend. I suggest we move the Worker to DirectoryService.
6) LdapService should be renamed to LdapServer. Everything associated 
with a Transport is a server, not a service.
7) We should be able to handle LDAP _and_ LDAPS in the LdapServer. Atm, 
it's done by declaring two LdapService, which is not a good idea, as its 
duplicate a lot of configuration elements. There is no difference 
between LDAP and LDAPS, except that we use SSL. Imo, it's just a matter 
of defining some new transport (different port, SSL enabled)
8) The transport class should e extended to enable or disable SSL.

cordialement, regards,
Emmanuel L├ęcharny

View raw message